ELEVION PARTNERS

Linkedin
Menu

Privacy Policy

Effective as of 19 April 2026

 Introduction: The policy sets out how Elevion handles personal data of employees, contractors, clients, client end-users, candidates and any other individuals whose data comes into Elevion’s possession in the course of business.

Framework

This policy is aligned with:

  • The Digital Personal Data Protection Act, 2023 (“DPDPA”) of India, notified on 13 November 2025 with a phased implementation. Core operational obligations take effect from 13 May 2027, and Elevion is structuring its processing practices in line with DPDPA principles from today.
  • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (applicable until DPDPA provisions fully take effect).
  • Where Elevion processes personal data of Philippine residents on behalf of a client, the Philippine Data Privacy Act of 2012 (RA 10173). In such cases, Elevion acts as a Personal Information Processor and complies with the instructions of the Personal Information Controller (the client).
  • Where the client’s operations extend to other regions and Elevion is required to process personal data of residents of those regions in the course of supporting the client’s procurement platform or related services, Elevion will comply with the data protection law applicable in each such region to the extent required by the engagement contract. This includes, where relevant, the EU General Data Protection Regulation 2016/679 and the UK GDPR, and the data protection laws of any other jurisdiction notified to Elevion by the client at the start of the engagement.
  • In every case, the specific data protection obligations, permitted processing purposes, data flows, retention periods and cross-border transfer mechanisms are documented in the Data Processing Agreement or equivalent contractual instrument between Elevion and the client before processing begins.

Principles

Elevion processes personal data on the following principles:

  • Lawfulness, fairness and transparency. Data is collected for a specified, lawful purpose, with notice to the individual.
  • Purpose limitation. Data is used only for the purpose for which it was collected, unless further processing is permitted by law or by fresh consent.
  • Data minimisation. Only the data necessary for the purpose is collected.
  • Data is kept accurate and, where relevant, up to date.
  • Storage limitation. Data is retained only for as long as necessary and is deleted or anonymised thereafter.
  • Data is protected using appropriate technical and organisational measures, as described in Elevion’s Information Security Policy.
  • Elevion maintains records of processing activities and can demonstrate compliance.

Data Protection Officer

Elevion has appointed a Data Protection Officer (DPO) by a Partners’ Resolution of the Founding Partners. The current DPO is Ashish Patil, Founding Partner and Director. The DPO is the contact point for data subjects, clients and regulators on all matters relating to personal data processing.

  • Designation: Data Protection Officer (DPO)
  • Appointed Lead: Ashish Patil (Founding Partner)
  • Contact Email: Ashish@elevionpartners.com

Privacy Impact Assessment

For every new engagement or new process that involves processing personal data on behalf of a client, Elevion performs a Privacy Impact Assessment (PIA) using a standard template maintained by the DPO. The PIA identifies the data involved, the purpose, the legal basis, the data flows, the controls in place, and any residual risks. The PIA is completed before processing begins and is reviewed at least annually or on material change.

Data subject rights

Elevion respects the rights of data subjects as defined by applicable laws, including the rights of access, correction, erasure (where applicable), objection, and the right to withdraw consent. In instances where Elevion processes personal data on behalf of a client, any data subject requests received by Elevion are forwarded to the client promptly for resolution. Elevion provides all reasonable assistance to the client to ensure these statutory rights are upheld and addressed in accordance with the underlying engagement contract.

Cross-border transfer

Elevion transfers personal data across borders only where permitted by the applicable law and the engagement contract, and where appropriate safeguards are in place (for example, the contract between Elevion and the client, or, where relevant, the client’s own cross-border transfer instruments). For transfers out of India, the transfer must be compatible with Section 16 of DPDPA and any notifications issued thereunder.

Breach response

A suspected or actual personal data breach must be reported to the DPO immediately. Elevion’s Data Breach Response Team, comprising the three Founding Partners and the DPO, is activated on report. The Team follows the steps set out in the Partners’ Resolution appointing the Data Breach Response Team. Where Elevion acts as a processor, the client is notified without undue delay. Where notification to a data protection authority is required by applicable law, including the Data Protection Board of India under DPDPA 2023 or the relevant supervisory authority in the jurisdiction of the affected data subjects, Elevion provides the notification within the timeframe specified by that law.

Retention

Personal data is retained only for as long as required by the engagement contract, by law, or by legitimate business need. Default retention periods are set out in the PIA for each engagement. At the end of the retention period, data is securely deleted or anonymised.

Training

All Elevion personnel receive data privacy awareness training on joining and at least annually. A training register is maintained by the DPO.

Changes to this Policy

Elevion may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. The updated policy will be published on this page with a revised effective date. We encourage you to review this page periodically.